|
Home > About Toshiba > CSR > CSR Performance > Fair Operating Practices > Information Security Management
Information Security Management
Policy on Information Security
Toshiba regards all information, such as its customer information, management information, technical and production information, handled during the course of business activities, as its important assets and adopts a policy to manage all corporate information as confidential information and to ensure that the information is not inappropriately disclosed, leaked or used. In view of this, Toshiba has a fundamental policy "to manage and protect such information assets properly, with top priority on compliance." The policy is stipulated in the chapter "Corporate Information and Company Assets" of the Toshiba Group Standards of Conduct, and managerial and employee awareness on the same is encouraged.
In response to regulatory changes and changes in the social environment, Toshiba revises the related rules on an ongoing basis so as to rigorously manage its information security.
We are rolling out information security management programs to our subsidiaries in Japan and overseas. In formulating rules and guidelines in promoting information security at our overseas subsidiaries, we also take into account the local circumstances.
Information Security Management Framework
Addressing information security as a management priority, Toshiba Group has established, under the supervision of the Chief Information Security Officer, the General Executive of Information & Security Group, an information security management structure in which the head of each organization, such as head of corporate staff division, president of each in-house company as well as president of each group company are responsible for information security.
The Chief Information Security Officer periodically convenes meetings of the Corporate Information Security Committee to engage in deliberations necessary for reliable implementation of Company-wide information security. The head of the Information Security Center , apart from assuming a Secretariat of the Corporate Information Security Committee, assists the Chief Information Security Officer, and formulates and implements policies and measures to ensure that internal regulations related to information security are implemented smoothly, efficiently, and reliably.
The CRO (Chief Risk-Compliance Management Officer) and the head of the Information Systems division, Legal Affairs division, Human Resources division, Intellectual Property division, and other concerned divisions serve as committee members and are responsible for matters necessary for thorough implementation of information security in the business processes under their control.
At the Toshiba in-house companies, the company presidents serve as Information Security Management Executives and bear full responsibility for managing information security at their respective companies. The Information Security Management Executives appoint Information Security Implementation Managers who are responsible for operation of the information security management system.
At the in-house companies, the company presidents serve as Information Security Management Executive, bearing full responsibility for information security at their respective companies. The Information Security Management Executive appoints Information Security Implementation Managers who are responsible for operation of the information security management system.
The Information Security Management Executives provide guidance and assistance to the group companies under their control to ensure that they implement information security of a level equivalent to that of Toshiba.
Toshiba Group Information Security Management Structure
Information Security Checks and Audits
Toshiba, with its wide portfolio of businesses, considers the autonomous implementation of PDCA (Plan-Do-Check-Action) cycle by each business or division to be vital for ensuring information security of the company. With this in view, every Toshiba division conducts an annual self-audit in terms of compliance with internal rules, for the purpose of formulating their own improvement plan.
Toshiba Information Security Center evaluates the results of these self-audits and the related improvement activities, provides guidance and assistance where necessary and reports the status to the Chief Information Security Officer. In FY2010, all divisions at Toshiba Corp., Japan conducted self-audit by the end of January 2011 and are working to improve the non-conformities found.
In addition, these self-audits are applied throughout Toshiba Group worldwide.In FY2010, in addition to Toshiba Corporation, 194 group companies in Japan and 213 group companies overseas conducted self-audit to improve the level of information security.
Furthermore, particularly those business units which handle important and confidential information have acquired ISMS (Information Security Management System) Certification. As of May 2011, 21 companies (25 divisions) including Toshiba Corp. have acquired the certification.
Information Security Measures
| Category | Description |
|---|---|
|
|
|
|
|
|
|
|
The Information Security Center incorporates these measures into regulations and guidelines, notifies them throughout Toshiba, provides briefings at half-yearly company-wide meetings, and enables their access through a company-wide information sharing database. The center is also undertaking similar implementation at group companies.
Information Security Education
To ensure strict compliance with internal regulations, each year Toshiba provides education on information security and protection of personal data to all executives, employees, and temporary staff on an annual basis. In FY2010, approximately 170,000 employees of Toshiba Group, including nearly 30,000 Toshiba Corp. employees, received education through e-learning or other educational programs.
In addition to the periodic education, Toshiba provides specialized course, namely, IT version and Management version of information security to concerned security implementation staff. Total of 540 concerned staff have received such education by the end of FY2010. Also, introductory education on information security is provided to newly hired employees, and in FY2010, all new employees received orientation on information security.
Confidential Information Protection Policy
Toshiba has established regulations concerning information security and appropriately ensures protection of confidential information. With the November 2005 revision to the Unfair Competition Prevention Act, Toshiba revised and reinforced its regulations which enforced the appropriate management of information and confidential customer information obtained from contracts and prohibition of the mixing of information of other companies with that of Toshiba.
In order to ensure adherence to these regulations, in FY2006, Toshiba obtained from all employees written confidentiality pledge at the time of information security education and has subsequently obtained the same from newly hired employees.
Confidential Information Protection Framework
Confidential Information Protection Framework
Toshiba has developed an information security management framework, designated information security roles and responsibilities, and operates the framework in accordance with regulations.
In the information security regulations, Toshiba has stipulated Information Owner Section, which develops information or obtains information from third parties under duty of confidentiality or duty of care. The Head of Information Owner Section plays an important role in the protection of confidential information by evaluating the importance of information in terms of confidentiality, integrity, and availability; decides methods of handling information; etc.
Response to Incidents Such as Leakage of Confidential Information
In the event an information security incident such as the leakage of confidential information occurs, Toshiba responds promptly in accordance with the information security incident reporting structure.
Information Security Incident Reporting Structure
When an employee becomes aware of the occurrence or potential occurrence of an incident involving the leakage of corporate information, the employee promptly reports to the Implementation Manager. The Implementation Manager, upon receipt of such report, devises necessary measures, such as an investigation into the cause and consideration of actions to prevent recurrence. In the case of the occurrence or potential occurrence of a serious leakage of confidential information that may be a violation of laws or ordinances, Toshiba implements measures in accordance with the applicable law or ordinance, such as disclosure, following discussion among the related corporate staff divisions.
Incidents Related to Confidential Information
In FY2010, no incident related to leakage of information possessed by Toshiba occurred. We will further reinforce our efforts to prevent information security-related incidents.
Personal Data Protection Policy
Toshiba protects personal data obtained from its stakeholders in the course of business activities appropriately, recognizing that personal data is an important asset of each stakeholder and also an important asset for Toshiba, leading to creation of new value.
Toshiba was quick to recognize the importance of protection of personal data, and in 2000 established the Toshiba Personal Data Program based on JIS Q 15001, management system standard in Japan, and in 2001 obtained the Privacy Mark certification. Toshiba strives for continual improvement on management system and accordingly, renewed the Privacy Mark certification after undergoing the sixth renewal assessment in April 2011.
Personal Data Protection Framework
In May 2000, Toshiba established internal regulations and developed a personal data protection framework with the aim of acquiring the Privacy Mark.
In October 2004, Toshiba established a company-wide secretariat within the Information Security Center in order to engage in personal data protection activities closely linked to the Information Security Management Structure. The General Executive of Information & Security Group serves as Toshiba's Chief Privacy Officer. The secretariat provides assistance to the Chief Privacy Security Officer with the implementation of personal data protection policies and measures.
With respect to internal organizations, the head of each corporate staff division and president of each in-house company, bears the responsibility for personal data protection at their respective divisions as personal data protection Management Executive. Each division establishes a framework in which the head of the general affairs section serves as the personal data protection Implementation Manager and the persons in charge of planning and information systems serve as Assistant Implementation Managers and implements personal data protection.
The Toshiba Group Personal Data Protection Structure
In accordance with the Act on the Protection of Personal Information, which went into full effect in April 2005, group companies in Japan have developed similar structure and implemented personal data protection.
Toshiba group companies outside Japan implement personal data protection based on the legal system of the countries where these companies located in.
Response to Incidents such as Leakage of Personal Data
As a countermeasure for any eventuality related to personal data, Toshiba Group has put in place a system for dealing swiftly and ensuring data disclosure.
In the event that an incident occurs, Toshiba responds in accordance with internal procedures. In the event a leakage of personal data or a situation that poses the risk of leakage occurs, the Implementation Manager of each division communicates and reports to the Information Security Center.
Upon receiving the report, the Information Security Center, in accordance with relevant laws, ordinances, and ministerial guidelines, consults with the Risk-Compliance Center and other divisions involved, to reach upon a conclusion after considering the possibility of infringement of the rights and interests of the affected parties.
Personal Data Protection and Management Checks and Audits
Toshiba Group considers the autonomous implementation of a plan-do-check-action (PDCA) cycle to be a reliable means for appropriate management of personal data and confidential data. In view of this, each division conducts a self-audit regarding personal data protection. Based on the internal checklist for information security and personal data protection, each division performs a self-audit to identify discrepancies and implements necessary measures to rectify them.
Personal data protection is also a compliance item in the management audit conducted by the Corporate Audit Division at each division.
As Privacy Mark certification is an effective approach for guaranteeing the effectiveness of personal data protection, as of May 2011 a total of 23 companies have obtained Privacy Mark certification, including Toshiba and group companies including those that handle large volumes of customer personal data, as contractors.
Incidents Related to Personal Data
In FY2010, no incident related to leakage of personal data managed by Toshiba occurred. We will further reinforce our efforts to prevent incidents related to personal data protection.
Personal Data Protection and Management Education
Toshiba provides yearly education concerning personal data protection along with information security education to executive officers and both regular and temporary employees. In FY2010, Toshiba further enhanced the awareness of employees by providing education on oversight responsibility and on measures to prevent accidents at outside contractors.
Protection of Customer Personal Data
Toshiba clearly states the purpose while using customer personal data and, in principle, obtains direct personal data based on the consent of customers and other individuals.
Essentially, the personal information obtained includes basic personal data such as name, address, telephone number and email address. The main purposes for the use of personal data available with Toshiba are mentioned in the following website.
Toshiba appropriately handles personal data in accordance with internal regulations and rigorously controls personal data using a framework integrated with the information security management structure.
Furthermore, personal data of shareholders, entrusted to a trust bank dealing with shareholder affairs, is also strictly managed.
Protection of Employee Personal Data
Toshiba obtains and uses employee personal data after first obtaining consent for the purpose of use. The Human Resources and Administration Division plays a central role in rigorously managing employee personal data.
Personal data of job seekers is appropriately protected by using such data only within the scope of the purpose of use for which consent is secured.
Personal Data Management at Contractors
When Toshiba contracts the handling of personal data to an outside contractor, in accordance with the Information Security Evaluation Criteria it selects an appropriate contractor such as a company that has acquired Privacy Mark certification. In addition to the regular contractor agreement entered into with selected contractors, Toshiba concludes a memorandum concerning personal data protection or obligates the contractor to submit a written pledge concerning personal data protection. Toshiba periodically confirms the state of personal data handling at contractors through on-site audits, etc.
Category Menu
CSR Performance
- Strengtheing CSR Management Based on the Principles of ISO 26000
- FY2010 and Targets & Plans for FY2011
Seven Core Subjects
